EP1049289B1 - Public-key signature methods and systems - Google Patents

Public-key signature methods and systems Download PDF

Info

Publication number
EP1049289B1
EP1049289B1 EP99401048A EP99401048A EP1049289B1 EP 1049289 B1 EP1049289 B1 EP 1049289B1 EP 99401048 A EP99401048 A EP 99401048A EP 99401048 A EP99401048 A EP 99401048A EP 1049289 B1 EP1049289 B1 EP 1049289B1
Authority
EP
European Patent Office
Prior art keywords
variables
vinegar
oil
equations
scheme
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP99401048A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP1049289A1 (en
Inventor
Jacques Patarin
Aviad Kipnis
Louis Goubin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CP8 Technologies SA
Synamedia Ltd
Original Assignee
Bull CP8 SA
NDS Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bull CP8 SA, NDS Ltd filed Critical Bull CP8 SA
Priority to EP99401048A priority Critical patent/EP1049289B1/en
Priority to ES99401048T priority patent/ES2230814T3/es
Priority to DE69920875T priority patent/DE69920875T2/de
Priority to DK99401048T priority patent/DK1049289T3/da
Priority to IL135647A priority patent/IL135647A/en
Priority to US09/552,115 priority patent/US7100051B1/en
Priority to HK02100489.6A priority patent/HK1039004B/zh
Priority to AU46028/00A priority patent/AU774346B2/en
Priority to CNB008010382A priority patent/CN1285191C/zh
Priority to BRPI0006085A priority patent/BRPI0006085B1/pt
Priority to PCT/IB2000/000692 priority patent/WO2000067423A1/en
Priority to JP2000616162A priority patent/JP4183387B2/ja
Publication of EP1049289A1 publication Critical patent/EP1049289A1/en
Application granted granted Critical
Publication of EP1049289B1 publication Critical patent/EP1049289B1/en
Priority to JP2005114430A priority patent/JP2005253107A/ja
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme

Definitions

  • the present invention generally relates to cryptography, and more particularly to public-key cryptography.
  • the set of k multivariable polynomial equations can be written as follows: where P 1 ,..., P K are multi variable polynomials of small total degree, typically, less than or equal to 8, and in many cases, exactly two.
  • the C* scheme is described in an article titled "Public Quadratic Polynomial-tuples for Efficient Signature Verification and Message-encryption” in Proceedings of EUROCRYPT'88, Springer-Verlag, pp. 419 - 453.
  • the HFE scheme is described in an article titled “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms” in Proceedings of EUROCRYPT'96, Springer-Verlag, pp. 33 - 48.
  • HFE Hidden Fields Equations
  • IP Isomorphisms of Polynomials
  • HFE Hidden Fields Equations
  • the present invention seeks to improve security of digital signature cryptographic schemes in which the public-key is given as a set of k multivariable polynomial equations, typically, over a finite mathematical field K. Particularly, the present invention seeks to improve security of the basic form of the "Oil and Vinegar” and the HFE schemes.
  • An "Oil and Vinegar” scheme which is modified to improve security according to the present invention is referred to herein as an unbalanced "Oil and Vinegar” (UOV) scheme.
  • UOV unbalanced "Oil and Vinegar”
  • An HFE scheme which is modified to improve security according to the present invention is referred to herein as an HFEV scheme.
  • a set S1 of k polynomial functions is supplied as a public-key.
  • the set S1 preferably includes the functions P 1 (x 1 ,...,x n+v , y 1 ,...,y k ),..., P k (x 1 ,...,x n+v , y 1 ,...,y k ), where k, v, and n are integers, x 1 ,...,x n+v are n+v variables of a first type, and y 1 ,...,y k are k variables of a second type.
  • the set S 1 is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P' 1 (a 1 ,...,a n+v ,y 1 ,...,y k ),...,P' k (a 1 ,...,a n+v ,y 1 ,...,y k ) where a 1 ,...,a n+v are n+v variables which include a set of n "oil” variables a 1 ,...,a n , and a set of v "vinegar” variables a n+1 ,...,a n+v .
  • the secret key operation may include a secret affine transformation s on the n+v variables a 1 ,...,a n+v .
  • a hash function may be applied on the message to produce a series of k values b 1 ,...,b k .
  • the series of k values b 1 ,...,b k is preferably substituted for the variables y 1 ,...,y k of the set S2 respectively so as to produce a set S3 of k polynomial functions P" 1 (a 1 ,...,a n+v ),..., P" k (a 1 ,...,a n+v ).
  • v values a' n+1 ,...,a' n+v may be selected for the v "vinegar" variables a n+1 ,...,a n+v , either randomly or according to a predetermined selection algorithm.
  • the secret key operation may be applied to transform a' 1 ,...,a' n+v to a digital signature e 1 ,...,e n+v .
  • the generated digital signature e 1 ,...,e n+v may be verified by a verifier which may include, for example, a computer or a smart card.
  • the verifier preferably obtains the signature e 1 ,...,e n+v , the message, the hash function and the public key. Then, the verifier may apply the hash function on the message to produce the series of k values b 1 ,...,b k .
  • a digital signature cryptographic method including the steps of supplying a set S1 of k polynomial functions as a public-key, the set S1 including the functions P 1 (x 1 ,...,x n+v , y 1 ,...,y k ),..., P k (x 1 ,...,x n+v , y 1 ,...,y k ), where k, v, and n are integers, x 1 ,...,x n+v are n+v variables of a first type, y 1 ,...,y k are k variables of a second type, and the set S1 is obtained by applying a secret key operation on a set S2 of k polynomial functions P' 1 (a 1 ,...,a n+v ,y 1 ,...,y k ),...,P' k (a 1 ,...,a n+v ,y 1 ,...,...,
  • the method also includes the step of verifying the digital signature.
  • the secret key operation preferably includes a secret affine transformation s on the n+v variables a 1 ,...,a n+v .
  • the set S2 includes the set f(a) of k polynomial functions of the HFEV scheme.
  • the set S2 preferably includes an expression including k functions that are derived from a univariate polynomial.
  • the univariate polynomial preferably includes a univariate polynomial of degree less than or equal to 100,000.
  • the set S2 includes the set S of k polynomial functions of the UOV scheme.
  • the supplying step may preferably include the step of selecting the number v of "vinegar” variables to be greater than the number n of "oil” variables.
  • v is selected such that q v is greater than 2 32 , where q is the number of elements of a finite field K.
  • the supplying step includes the step of obtaining the set S1 from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the y 1 ,...,y k variables in the k polynomial functions P' 1 (a 1 ,...,a n+v ,y 1 ,...,y k ),...,P' k (a 1 ,...,a n+v ,y 1 ,...,y k ) are zero, and the number v of "vinegar" variables is greater than the number n of "oil" variables.
  • an improvement of an "Oil and Vinegar” signature method including the step of using more "vinegar” variables than "oil” variables.
  • FIG. 1 is a simplified block diagram illustration of a preferred implementation of a system 10 for generating and verifying a digital signature to a message, the system 10 being constructed and operative in accordance with a preferred embodiment of the present invention.
  • the system 10 includes a computer 15, such as a general purpose computer, which communicates with a smart card 20 via a smart card reader 25.
  • the computer 15 may preferably include a digital signature generator 30 and a digital signature verifier 35 which may communicate data via a communication bus 40.
  • the smart card 20 may preferably include a digital signature generator 45 and a digital signature verifier 50 which may communicate data via a communication bus 55.
  • a signer of a message and a receptor of a signed message agree on a public-key which is published, and on a hash function to be used.
  • the signer and the receptor may agree to change the hash function.
  • a generator of the public-key need not be the signer or the receptor.
  • the digital signature verifier 35 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45.
  • the digital signature verifier 50 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45.
  • FIG. 2A is a simplified flow chart illustration of a preferred digital signature cryptographic method for generating a digital signature to a message in a first processor (not shown), and to Fig. 2B which is a simplified flow chart illustration of a preferred digital signature cryptographic method for verifying the digital signature of Fig. 2A in a second processor (not shown), the methods of Figs. 2A and 2B being operative in accordance with a preferred embodiment of the present invention.
  • Figs. 2A and 2B may be implemented in hardware, in software or in a combination of hardware and software.
  • the first processor and the second processor may be identical.
  • the method may be implemented by the system 10 of Fig. 1 in which the first processor may be comprised, for example, in the computer 15, and the second processor may be comprised in the smart card 20, or vice versa.
  • Fig. 2A and 2B The methods of Fig. 2A and 2B, and applications of the methods of Figs. 2A and 2B are described in Appendix I which is incorporated herein.
  • the applications of the methods of Figs. 2A and 2B may be employed to modify the basic form of the "Oil and Vinegar" scheme and the HFE scheme thereby to produce the UOV and the HFEV respectively.
  • Appendix I includes an unpublished article by Aviad Kipnis, Jacques Patarin and Louis Goubin submitted for publication by Springer-Verlag in Proceedings of EUROCRYPT' 99 which is scheduled on 2 - 6 May 1999.
  • the article included in Appendix I also describes variations of the UOV and the HFEV schemes with small signatures.
  • a set S1 of k polynomial functions is preferably supplied as a public-key (step 100) by a generator of the public-key (not shown) which may be, for example, the generator 30 of Fig. 1, the generator 45 of Fig. 1, or an external public-key generator (not shown).
  • the set S1 preferably includes the functions P 1 (x 1 ,...,x n+v , y 1 ,...,y k ),..., P k (x 1 ,...,x n+v , y 1 ,...,y k ), where k, v, and n are integers, x 1 ,...,x n+v are n+v variables of a first type, and y 1 ,...,y k are k variables of a second type.
  • the set S1 is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P' 1 (a 1 ,...,a n+v ,y 1 ,...,y k ),...,P' k (a 1 ,...,a n+v ,y 1 ,...,y k ) where a 1 ,...,a n+v are n+v variables which include a set of n "oil” variables a 1 ,...,a n , and a set of v "vinegar” variables a n+1 ,...,a n+v .
  • the secret key operation may include a secret affine transformation s on the n+v variables a 1 ,...,a n+v .
  • oil variables and “vinegar” variables refer to “oil” variables and “vinegar” variables as defined in the basic form of the “Oil and Vinegar” scheme of Jacques Patarin which is described in the above mentioned article titled “The Oil and Vinegar Signature Scheme” presented at the Dagstuhl Workshop on Cryptography in September 1997.
  • a signer may apply a hash function on the message to produce a series of k values b 1 ,...,b k (step 110).
  • the signer may be, for example, the generator 30 or the generator 45 of Fig. 1.
  • the series of k values b 1 ,...,b k is preferably substituted for the variables y 1 ,...,y k of the set S2 respectively so as to produce a set S3 of k polynomial functions P" 1 (a 1 ,...,a n+v ),..., P" k (a 1 ,...,a n+v ) (step 115).
  • v values a' n+1 ,...,a' n+v may be randomly selected for the v "vinegar" variables a n+1 ,...,a n+v (step 120).
  • the v values a' n+1 ,...,a' n+v may be selected according to a predetermined selection algorithm.
  • the secret key operation may be applied to transform a' 1 ,...,a' n+v to a digital signature e 1 ,...,e n+v (step 130).
  • the generated digital signature e 1 ,...,e n+v may be verified according to the method described with reference to Fig. 2B by a verifier of the digital signature (not shown) which may include, for example, the verifier 35 or the verifier 50 of Fig. 1.
  • the verifier preferably obtains the signature e 1 ,...,e n+v , the message, the hash function and the public key (step 200). Then, the verifier may apply the hash function on the message to produce the series of k values b 1 ,...,b k (step 205).
  • the generation and verification of the digital signature as mentioned above may be used for the UOV by allowing the set S2 to include the set S of k polynomial functions of the UOV scheme as described in Appendix I.
  • the generation and verification of the digital signature as mentioned above may be used for the HFEV by allowing the set S2 to include the set f(a) of k polynomial functions of the HFEV scheme as described in Appendix I.
  • Figs. 2A and 2B enable obtaining of digital signatures which are typically smaller than digital signatures obtained in conventional number theoretic cryptography schemes, such as the well known RSA scheme.
  • the set S1 when the set S2 includes the set S of k polynomial functions of the UOV scheme, the set S1 may be supplied with the number v of "vinegar" variables being selected to be greater than the number n of "oil" variables.
  • v may be also selected such that q v is greater than 2 32 , where q is the number of elements of a finite field K over which the sets S1, S2 and S3 are provided.
  • the S1 may be obtained from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the y 1 ,...,y k variables in the k polynomial functions P' 1 (a 1 ,...,a n+v ,y 1 ,...,y k ),...,P' k (a 1 ,...,a n+v ,y 1 ,...,y k ) are zero, and the number v of "vinegar" variables is greater than the number n of "oil" variables.
  • the number v of "vinegar” variables is chosen to be equal to the number n of "oil” variables.
  • Aviad Kipnis who is one of the inventors of the present invention
  • Adi Shamir have shown, in the above mentioned Proceedings of CRYPTO 98, Springer, LNCS n°1462, on pages 257 - 266, a cryptanalysis of the basic "Oil and Vinegar” signature scheme which renders the basic "Oil and Vinegar” scheme insecure.
  • the basic "Oil and Vinegar” scheme may be shown to be insecure for any number v of "vinegar” variables which is lower than the number n of "oil” variables.
  • the UOV scheme is considered secure for values of v which satisfy the inequality q (v-n)-1 x n 4 > 2 40 . It is appreciated that for values of v which are higher than n 2 /2 but less than or equal to n 2 , the UOV is also considered secure, and solving the set S1 is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n 2 , the UOV is believed to be insecure.
  • the UOV scheme is considered secure for values of v which are substantially greater than n*(1 + sqrt(3)) and lower than or equal to n 3 /6. It is appreciated that for values of v which are higher than n 3 /6 but lower than or equal to n 3 /2, the UOV is also considered secure, and solving the set S1 is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n 3 /2, and for values of v which are lower than n*(1 + sqrt(3)), the UOV is believed to be insecure.
  • the UOV scheme is considered secure for values of v which are substantially greater than n and lower than or equal to n 3 /6. It is appreciated that for values of v which are higher than n 3 /6 but lower than or equal to n 4 , the UOV is also considered secure, and solving the set S1 is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n 4 , and for values of v which are lower than n, the UOV is believed to be insecure.
  • the set S2 may include an expression which includes k functions that are derived from a univariate polynomial.
  • the univariate polynomial may include a polynomial of degree less than or equal to 100,000 on an extension field of degree n over K.
  • n and v be two integers.
  • y ( y 1 , ..., y n ).
  • the secret key is made of two parts:
  • the coefficients ⁇ ijk , ⁇ ijk , ⁇ ij , ⁇ ' ij and ⁇ i are the secret coefficients of these n equations.
  • the values a 1 , ..., a n (the "oil” unknowns) and a ' 1 , ..., a ' v (the "vinegar” unknowns) lie in K . Note that these equations ( S ) contain no terms in a i a j .
  • Each value y i , 1 ⁇ i ⁇ n can be written as a polynomial P i of total degree two in the x j unknowns, 1 ⁇ j ⁇ n + v .
  • a signature x of y is valid if and only if all the ( P ) are satisfied. As a result, no secret is needed to check whether a signature is valid: this is an asymmetric signature scheme.
  • Definition 3.1 We define the oil subspace to be the linear subspace of all vectors in K 2 n whose second half contains only zeros.
  • Definition 3.2 We define the vinegar subspace as the linear subspace of all vectors in K 2 n whose first half contains only zeros.
  • E and F be a 2 n x 2 n matrices with an upper left zero n ⁇ n submatrix. If F is invertible then the oil subspace is an invariant subspace of EF -1 .
  • Theorem 3.1 O is a common invariant subspace of all the matrices G ij .
  • the two inner matrices have the form of E and F in lemma 1. Therefore, the oil subspace is an invariant subspace of the inner term and O is an invariant subspace of G i G -1 / j .
  • the problem of finding common invariant subspace of set of matrices is studied in [5]. Applying the algorithms in [5] gives us O .
  • Lemma 1 is not true any more when v > n .
  • the oil subspace is still mapped by E and F into the vinegar subspace.
  • F -1 does not necessary maps the image by E of the oil subspace back into the oil subspace and this is why the cryptanalysis of the original oil and vinegar is not valid for the unbalanced case. This corresponds to the fact that, if the submatrix of zeros in the top left corner of F is smaller than n ⁇ n , then F -1 does not have (in general) a submatrix of zeros in the bottom right corner. For example:
  • Definition 4.1 We define in this section the oil subspace to be the linear subspace of all vectors in K n + v whose last v coordinates are only zeros.
  • the vinegar subspace to be the linear subspace of all vectors in K n + v whose first n coordinates are only zeros.
  • the matrices G i have the representation where the upper left matrix is the n ⁇ n zero matrix, A i is a n ⁇ v matrix, B i is a v ⁇ n matrix, C i is a v ⁇ v matrix and S is a ( n + v ) ⁇ ( n + v ) invertible linear matrix.
  • I 1 is a subspace with dimension not less than n - d and is mapped by FE -1 / k into a subspace with dimension n .
  • the probability for a non zero vector to be mapped to a non zero multiple of itself is q -1 / q n -1.
  • To get the expected value we multiply it by the number of non zero vectors in I 1 . It gives a value which is not less than ( q -1)( q n - d -1) / q n -1.
  • the inner term is an invariant subspace of the oil subspace with the required probability. Therefore, the same will hold for FG -1 / k , but instead of a subspace of the oil subspace, we get a subspace of O .
  • ( A ) be a random set of n quadratic equations in ( n + v ) variables x 1 , ..., x n + v . (By "random” we mean that the coefficients of these equations are uniformly and randomly chosen).
  • ( B ) has a very special shape ! This is why there is a polynomial algorithm for 99% of the equations without contradicting the fact that solving these sets ( B ) of equations is a NP-hard problem.
  • the main idea of the algorithrn consists in using a change of variables such as: whose ⁇ i , j coefficients (for 1 ⁇ i ⁇ n , 1 ⁇ j ⁇ n + v ) are found step by step, in order that the resulting system ( S ') (written with respect to these new variables y 1 , ..., y n+v ) is easy to solve.
  • n vectors are very likely to be linearly independent for a random quadratic system ( S ).
  • the remaining ⁇ i , j constants i.e . those with n + 1 ⁇ i ⁇ n + v and 1 ⁇ j ⁇ n + 1) are randomly chosen, so as to obtain a bijective change of variables.
  • a 1 , ..., a n be n elements of K , called the "oil” unknowns.
  • the secret key is made of two parts:
  • Each value y i , 1 ⁇ i ⁇ n can be written as a polynomial P i of total degree three in the x j unknowns, 1 ⁇ j ⁇ n + v .
  • P the set of the following n equations:
  • Step 1 We randomly choose the v vinegar unknowns a ' i , and then we compute the a i unknowns from ( S ) by Gaussian reductions (because - since there are no a i a j terms - the ( S ) equations are affine in the a i unknowns when the a ' i are fixed. (If we find no solution for this affine system of n equations and n "oil” unknowns, we just try again with new random "vinegar” unknowns.)
  • a signature x of y is valid if and only if all the ( P ) are satisfied.
  • the cryptanalyst can specify about n - 1 of the coordinates d k of d , since the vectorial space of the correct d is of dimension n . It remains thus to solve n ⁇ ( n + v ) quadratic equations in ( v +1) unknowns d j .
  • v is not too large (typically when ( v +1) 2 / 2 ⁇ n ( n + v ), i . e . when v ⁇ (1 + 3 ) n ), this is expected to be easy.
  • is odd, this gives a simple way to break the scheme.
  • this convention can be that the linear terms of L in the equation number i (1 ⁇ i ⁇ n ) are computed from Hash( i ⁇ Id ) (or from Hash( i ⁇ P )), where Hash is a public hash function and where Id is the identity of the owner of the secret key.
  • the signature scheme is the one of section 2.
  • the length of the public key is approximately n ⁇ ( (n+v) 2 / 2) bits. This gives here a huge value: approximately 1.1 Mbytes (or 2 Mbytes) !
  • the length of the secret key (the s matrix) is approximately ( n + v ) 2 bits, i.e. approximately 18 Kbytes.
  • this secret key can always be generated from a small secret seed of, say, 64 bits.
  • the signature scheme is the one section 8.
  • the length of the public key is 144 Kbytes (or 256 Kbytes).
  • the signature scheme is the one section 8.
  • the length of the public key is 9 Kbytes (or 16 Kbytes).
  • s is a secret affine bijection of F 16 such that all its coefficients lie in F 2 .
  • the secret quadratic coefficients are also chosen in F 2 , so that the public functions P i , 1 ⁇ i ⁇ n , are n quadratic equations in ( n + v ) unknowns of F 16 , with coefficients in F 2 .
  • the signature scheme is still the one of section 8
  • the length of the public key is 2.2 Kbytes (or 4 Kbytes).
  • n ⁇ 16 in order to avoid Gröbner bases algorithms to find a solution x
  • q n ⁇ 2 64 in order to avoid exhaustive search on x .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Optimization (AREA)
  • General Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Physics (AREA)
  • Algebra (AREA)
  • Complex Calculations (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)
EP99401048A 1999-04-29 1999-04-29 Public-key signature methods and systems Expired - Lifetime EP1049289B1 (en)

Priority Applications (13)

Application Number Priority Date Filing Date Title
EP99401048A EP1049289B1 (en) 1999-04-29 1999-04-29 Public-key signature methods and systems
ES99401048T ES2230814T3 (es) 1999-04-29 1999-04-29 Metodos y sistemas de firma de clave publica.
DE69920875T DE69920875T2 (de) 1999-04-29 1999-04-29 Vorrichtung und Verfahren zum Berechnen einer digitalen Unterschrift
DK99401048T DK1049289T3 (da) 1999-04-29 1999-04-29 Offentlig nögle underskriftfremgangsmåde og -systemer
IL135647A IL135647A (en) 1999-04-29 2000-04-13 Public-key signature methods and systems
US09/552,115 US7100051B1 (en) 1999-04-29 2000-04-19 Public-key signature methods and systems
HK02100489.6A HK1039004B (zh) 1999-04-29 2000-04-28 公共密钥签字的方法和系统
AU46028/00A AU774346B2 (en) 1999-04-29 2000-04-28 Public-key signature methods and systems
CNB008010382A CN1285191C (zh) 1999-04-29 2000-04-28 公共密钥签字的方法和系统
BRPI0006085A BRPI0006085B1 (pt) 1999-04-29 2000-04-28 sistemas e métodos de assinatura de chave pública
PCT/IB2000/000692 WO2000067423A1 (en) 1999-04-29 2000-04-28 Public-key signature methods and systems
JP2000616162A JP4183387B2 (ja) 1999-04-29 2000-04-28 公開鍵を署名する方法とシステム
JP2005114430A JP2005253107A (ja) 1999-04-29 2005-04-12 公開鍵を署名する方法とシステム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP99401048A EP1049289B1 (en) 1999-04-29 1999-04-29 Public-key signature methods and systems

Publications (2)

Publication Number Publication Date
EP1049289A1 EP1049289A1 (en) 2000-11-02
EP1049289B1 true EP1049289B1 (en) 2004-10-06

Family

ID=8241961

Family Applications (1)

Application Number Title Priority Date Filing Date
EP99401048A Expired - Lifetime EP1049289B1 (en) 1999-04-29 1999-04-29 Public-key signature methods and systems

Country Status (12)

Country Link
US (1) US7100051B1 (enExample)
EP (1) EP1049289B1 (enExample)
JP (2) JP4183387B2 (enExample)
CN (1) CN1285191C (enExample)
AU (1) AU774346B2 (enExample)
BR (1) BRPI0006085B1 (enExample)
DE (1) DE69920875T2 (enExample)
DK (1) DK1049289T3 (enExample)
ES (1) ES2230814T3 (enExample)
HK (1) HK1039004B (enExample)
IL (1) IL135647A (enExample)
WO (1) WO2000067423A1 (enExample)

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2810139B1 (fr) * 2000-06-08 2002-08-23 Bull Cp8 Procede de securisation de la phase de pre-initialisation d'un systeme embarque a puce electronique, notamment d'une carte a puce, et systeme embarque mettant en oeuvre le procede
WO2002084590A1 (en) * 2001-04-11 2002-10-24 Applied Minds, Inc. Knowledge web
US7844610B2 (en) * 2003-12-12 2010-11-30 Google Inc. Delegated authority evaluation system
US20030195834A1 (en) * 2002-04-10 2003-10-16 Hillis W. Daniel Automated online purchasing system
US20030196094A1 (en) * 2002-04-10 2003-10-16 Hillis W. Daniel Method and apparatus for authenticating the content of a distributed database
US8069175B2 (en) * 2002-04-10 2011-11-29 Google Inc. Delegating authority to evaluate content
US7600118B2 (en) * 2002-09-27 2009-10-06 Intel Corporation Method and apparatus for augmenting authentication in a cryptographic system
US7765206B2 (en) 2002-12-13 2010-07-27 Metaweb Technologies, Inc. Meta-Web
US8012025B2 (en) * 2002-12-13 2011-09-06 Applied Minds, Llc Video game controller hub with control input reduction and combination schemes
US20050131918A1 (en) * 2003-12-12 2005-06-16 W. Daniel Hillis Personalized profile for evaluating content
US7961876B2 (en) * 2005-01-11 2011-06-14 Jintai Ding Method to produce new multivariate public key cryptosystems
CN1870499B (zh) * 2005-01-11 2012-01-04 丁津泰 产生新的多变量公钥密码系统的方法
WO2007057610A1 (fr) * 2005-11-18 2007-05-24 France Telecom Systeme et procede cryptographique d'authentification ou de signature
FR2916317B1 (fr) * 2007-05-15 2009-08-07 Sagem Defense Securite Protection d'execution d'un calcul cryptographique
CN101321059B (zh) * 2007-06-07 2011-02-16 管海明 一种用于编码和译码数字消息的方法和系统
FR2918525A1 (fr) 2007-07-06 2009-01-09 France Telecom Procede asymetrique de chiffrement ou de verification de signature.
CN101227286B (zh) * 2008-01-31 2010-04-14 北京飞天诚信科技有限公司 一种生成消息认证码的方法
WO2011033642A1 (ja) * 2009-09-17 2011-03-24 株式会社 東芝 署名生成装置及び署名検証装置
JP2011107528A (ja) * 2009-11-19 2011-06-02 Sony Corp 情報処理装置、鍵生成装置、署名検証装置、情報処理方法、署名生成方法、及びプログラム
IL205803A0 (en) 2010-05-16 2010-12-30 Yaron Sella Collision-based signature scheme
IL206139A0 (en) 2010-06-02 2010-12-30 Yaron Sella Efficient multivariate signature generation
IL207918A0 (en) 2010-09-01 2011-01-31 Aviad Kipnis Attack-resistant multivariate signature scheme
JP5790287B2 (ja) * 2011-08-12 2015-10-07 ソニー株式会社 情報処理装置、情報処理方法、プログラム、及び記録媒体
CN105359455A (zh) * 2013-07-12 2016-02-24 皇家飞利浦有限公司 电子签名系统
CN103457726B (zh) * 2013-08-26 2016-12-28 华南理工大学 基于矩阵的多变量公钥加密方法
CN103780383B (zh) * 2014-01-13 2017-05-31 华南理工大学 一种基于超球面的多变量公钥签名/验证系统及方法
CN104009848B (zh) * 2014-05-26 2017-09-29 华南理工大学 一种混合型的多变量数字签名系统及方法
CN105245343B (zh) * 2015-09-22 2018-09-14 华南理工大学 一种基于多变量密码技术的在线离线签名系统及方法
US11030618B1 (en) 2016-09-30 2021-06-08 Winkk, Inc. Authentication and personal data sharing for partner services using out-of-band optical mark recognition
JP7322763B2 (ja) * 2020-03-13 2023-08-08 日本電信電話株式会社 鍵生成装置、鍵生成方法及びプログラム
US12395353B2 (en) * 2022-09-21 2025-08-19 Winkk, Inc. Authentication process with an exposed and unregistered public certificate

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NZ240019A (en) * 1991-09-30 1996-04-26 Peter John Smith Public key encrypted communication with non-multiplicative cipher
US5263085A (en) 1992-11-13 1993-11-16 Yeda Research & Development Co. Ltd. Fast signature scheme based on sequentially linearized equations
US5375170A (en) 1992-11-13 1994-12-20 Yeda Research & Development Co., Ltd. Efficient signature scheme based on birational permutations
FR2737370B1 (fr) * 1995-07-27 1997-08-22 Bull Cp8 Procede de communication cryptographique
FR2744309B1 (fr) * 1996-01-26 1998-03-06 Bull Cp8 Procede de communicatin cryptographique asymetrique, et objet portatif associe
US6076163A (en) * 1997-10-20 2000-06-13 Rsa Security Inc. Secure user identification based on constrained polynomials

Also Published As

Publication number Publication date
IL135647A0 (en) 2001-05-20
BRPI0006085B1 (pt) 2016-05-10
IL135647A (en) 2010-11-30
WO2000067423A1 (en) 2000-11-09
DK1049289T3 (da) 2005-02-14
EP1049289A1 (en) 2000-11-02
AU4602800A (en) 2000-11-17
AU774346B2 (en) 2004-06-24
ES2230814T3 (es) 2005-05-01
US7100051B1 (en) 2006-08-29
BR0006085A (pt) 2001-03-20
HK1039004A1 (en) 2002-04-04
DE69920875D1 (de) 2004-11-11
CN1285191C (zh) 2006-11-15
CN1314040A (zh) 2001-09-19
JP4183387B2 (ja) 2008-11-19
DE69920875T2 (de) 2005-10-27
JP2002543478A (ja) 2002-12-17
JP2005253107A (ja) 2005-09-15
HK1039004B (zh) 2007-05-04

Similar Documents

Publication Publication Date Title
EP1049289B1 (en) Public-key signature methods and systems
Kipnis et al. Unbalanced oil and vinegar signature schemes
Patarin et al. C−+* and HM: Variations around two schemes of T. Matsumoto and H. Imai
Courtois et al. Algebraic cryptanalysis of the data encryption standard
Patarin et al. QUARTZ, 128-Bit Long Digital Signatures: http://www. minrank. org/quartz
Benhamouda et al. CCA-secure inner-product functional encryption from projective hash functions
Masuda et al. Chaotic block ciphers: from theory to practical algorithms
Galbraith Elliptic curve Paillier schemes
EP2873186B1 (en) Method and system for homomorphicly randomizing an input
EP2591570B1 (en) Attack-resistant multivariate signature scheme
Ding et al. Cryptanalysis of HFEv and internal perturbation of HFE
US8958560B2 (en) Efficient multivariate signature generation
EP2966802A1 (en) Method for ciphering and deciphering digital data, based on an identity, in a multi-authorities context
US5790675A (en) Cryptographic communication process
WO1993003562A1 (en) Digital signature algorithm
US6088798A (en) Digital signature method using an elliptic curve, a digital signature system, and a program storage medium having the digital signature method stored therein
US20130073855A1 (en) Collision Based Multivariate Signature Scheme
US9356783B2 (en) Method for ciphering and deciphering, corresponding electronic device and computer program product
KR19980703470A (ko) 비대칭 암호 통신방법 및 이와 관련된 포터블 객체
CN111712816B (zh) 使用密码蒙蔽以用于高效地使用蒙哥马利乘法
Hakuta et al. Batch verification suitable for efficiently verifying a limited number of signatures
Park et al. On the security of reduced versions of 3-pass HAVAL
Cheon et al. A cryptanalysis of the original Domingo-Ferrer's algebraic privacy homomophism
Smith-Tone Properties of the discrete differential with cryptographic applications
Barthe et al. A machine-checked formalization of the random oracle model

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): BE CH DE DK ES FR GB IT LI NL SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

17P Request for examination filed

Effective date: 20010421

AKX Designation fees paid

Free format text: BE CH DE DK ES FR GB IT LI NL SE

17Q First examination report despatched

Effective date: 20030911

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NDS LIMITED

Owner name: BULL CP8

RIN1 Information on inventor provided before grant (corrected)

Inventor name: GOUBIN, LOUIS

Inventor name: KIPNIS, AVIAD

Inventor name: PATARIN, JACQUES

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NDS LIMITED

Owner name: BULL CP8

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): BE CH DE DK ES FR GB IT LI NL SE

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REF Corresponds to:

Ref document number: 69920875

Country of ref document: DE

Date of ref document: 20041111

Kind code of ref document: P

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: ISLER & PEDRAZZINI AG

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

REG Reference to a national code

Ref country code: DK

Ref legal event code: T3

RAP2 Party data changed (patent owner data changed or rights of a patent transferred)

Owner name: NDS LIMITED

Owner name: CP8 TECHNOLOGIES

RAP2 Party data changed (patent owner data changed or rights of a patent transferred)

Owner name: NDS LIMITED

Owner name: CP8 TECHNOLOGIES

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2230814

Country of ref document: ES

Kind code of ref document: T3

NLT2 Nl: modifications (of names), taken from the european patent patent bulletin

Owner name: CP8 TECHNOLOGIES EN NDS LIMITED

NLT2 Nl: modifications (of names), taken from the european patent patent bulletin

Owner name: CP8 TECHNOLOGIES EN NDS LIMITED

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

ET Fr: translation filed
NLS Nl: assignments of ep-patents

Owner name: NDS LIMITED

Effective date: 20050608

Owner name: CP8 TECHNOLOGIES

Effective date: 20050608

26N No opposition filed

Effective date: 20050707

REG Reference to a national code

Ref country code: CH

Ref legal event code: PCAR

Free format text: ISLER & PEDRAZZINI AG;POSTFACH 1772;8027 ZUERICH (CH)

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 17

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 18

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 19

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20180321

Year of fee payment: 20

Ref country code: CH

Payment date: 20180326

Year of fee payment: 20

Ref country code: NL

Payment date: 20180326

Year of fee payment: 20

Ref country code: DK

Payment date: 20180322

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: SE

Payment date: 20180326

Year of fee payment: 20

Ref country code: BE

Payment date: 20180323

Year of fee payment: 20

Ref country code: FR

Payment date: 20180322

Year of fee payment: 20

Ref country code: IT

Payment date: 20180326

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20180504

Year of fee payment: 20

Ref country code: DE

Payment date: 20180320

Year of fee payment: 20

REG Reference to a national code

Ref country code: ES

Ref legal event code: PC2A

Owner name: ACANO (UK) LIMITED

Effective date: 20181022

REG Reference to a national code

Ref country code: CH

Ref legal event code: PUE

Owner name: ACANO (UK) LIMITED, GB

Free format text: FORMER OWNER: NDS LIMITED, GB

REG Reference to a national code

Ref country code: BE

Ref legal event code: PD

Owner name: ACANO (UK) LIMITED; GB

Free format text: DETAILS ASSIGNMENT: CHANGE OF OWNER(S), CESSION; FORMER OWNER NAME: NDS LIMITED

Effective date: 20181018

REG Reference to a national code

Ref country code: DE

Ref legal event code: R082

Ref document number: 69920875

Country of ref document: DE

Representative=s name: GRAF VON STOSCH PATENTANWALTSGESELLSCHAFT MBH, DE

Ref country code: DE

Ref legal event code: R081

Ref document number: 69920875

Country of ref document: DE

Owner name: ACANO (UK) LTD., GB

Free format text: FORMER OWNERS: CP8 TECHNOLOGIES, LOUVECIENNES, FR; NDS LTD., WEST DRAYTON, MIDDLESEX, GB

REG Reference to a national code

Ref country code: NL

Ref legal event code: PD

Owner name: ACANO (UK) LIMITED; GB

Free format text: DETAILS ASSIGNMENT: CHANGE OF OWNER(S), ASSIGNMENT; FORMER OWNER NAME: NDS LIMITED

Effective date: 20181023

REG Reference to a national code

Ref country code: DE

Ref legal event code: R071

Ref document number: 69920875

Country of ref document: DE

REG Reference to a national code

Ref country code: NL

Ref legal event code: MK

Effective date: 20190428

REG Reference to a national code

Ref country code: DK

Ref legal event code: EUP

Effective date: 20190429

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

Ref country code: GB

Ref legal event code: PE20

Expiry date: 20190428

REG Reference to a national code

Ref country code: SE

Ref legal event code: EUG

REG Reference to a national code

Ref country code: BE

Ref legal event code: MK

Effective date: 20190429

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20190428

REG Reference to a national code

Ref country code: ES

Ref legal event code: FD2A

Effective date: 20200806

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20190430